Data layer guards for the Chio runtime kernel.

This crate houses guards that inspect the semantics of data-store accesses rather than merely the presence of a tool. Phase 7.1 of the Chio roadmap ships the first such guard, [SqlQueryGuard], which parses SQL queries submitted to database tools and enforces allowlists on operations, tables, columns, and predicates.

Future phases (7.2, 7.3, 7.4) will add VectorDbGuard, WarehouseCostGuard, and the post-invocation QueryResultGuard in this same crate. The module layout is designed to absorb those additions without breaking the public surface.

Relationship to chio-guards

chio-data-guards is a sibling of chio-guards. It reuses the [chio_kernel::Guard] trait and the [chio_guards::extract_action] dispatcher; it does not redefine either. Pipelines compose the two crates transparently:

use chio_guards::GuardPipeline;
use chio_data_guards::{SqlGuardConfig, SqlQueryGuard};

let mut pipeline = GuardPipeline::default_pipeline();
pipeline.add(Box::new(SqlQueryGuard::new(SqlGuardConfig::default())));

Fail-closed

Every guard in this crate is fail-closed. Parse errors deny, empty configurations deny, and invalid user-supplied regex configuration rejects policy loading or constructs a deny-all guard.